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Abstract. We present an algorithm that, on input of an integer A'^ > 1 together 

with its prime factorization, constructs a finite field F and an elliptic curve E over 

F for which E{F) has order A''. Although it is unproved that this can be done for 

all N, a heuristic analysis shows that the algorithm has an expected run time that 

is polynomial in 2'^^-'^) log A^, where u){N) is the number of distinct prime factors 

of N. In the cryptographically relevant case where A^ is prime, an expected run 

time ©((log A')^+'^) can be achieved. We illustrate the efficiency of the algorithm 

by constructing elliptic curves with point groups of order A^ = lO-^'"^^ and N = 
nextprime( 102004) = io2004 _^ 4gg3^ 



1. Introduction 

For an elliptic curve E defined over the finite field Fq of q elements, the order 
= ^E(Fq) of the group of Fg-rational points of E is an integer in the Hasse 
interval 

Hq = [{^ - 1)2, + 1)2] = [q + l-2^,q + l + 2^] (1.1) 

around q. Various point counting algorithms [20, 18, 13] have been developed over 
the last 20 years that compute in polynomial time from the standard represen- 
tation of i? by a Weierstrass equation over F^. A natural 'inverse problem' to the 
point counting problem is the following. 

Problem 1. Given a finite field Fq and an integer N G Hq, find an elliptic curve 
E/Fq for which E(Fq) has order N . 

If = p is a prime number, than all integers G Tip arise as the order of an elliptic 
curve over Fp, and a solution to Problem 1 always exists. For prime powers q = 
this is not generally true: the values G Tiq having A^ = 1 mod p can only be 
realized by supersingular elliptic curves over Fq, and these are in most cases too 
rare [22, Theorem V.4.1] to account for all values A^ = 1 mod p in Tiq. On the other 
hand, all values N ^ 1 mod p in Hq do arise as orders of elliptic curves over Fg. 

No algorithm is known to solve problem 1 (in the cases where a solution exists) 
in a time that is polynomially bounded in the input size logq' ~ logA^. Due to the 
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fact that point counting of elliptic curves over can be done in polynomial time, 
the naive probabilistic algorithm of trying random curves E/Fq until a curve with 
the right number of points is found has expected run time 0(iVV2). 

we use 

the O-notation to indicate that terms that are of logarithmic size in the main term 
have been disregarded. 

Simple-minded as it is, the naive algorithm compares favorably to the determin- 
istic complex multiplication algorithm to solve Problem 1 that is discussed in the 
next section. This is due to the size of the auxiliary polynomials ('class polynomi- 
als') in that algorithm, which become prohibitively large for most pairs (g, N). In 
order to obtain algorithms that are substantially better than the naive method, one 
can relax the conditions in Problem 1 in the following way. 

Problem 2. Given an integer N > 1, find a finite field F and an elliptic curve 
E/F for which E{F) has order N. 

In the case where the discrete logarithm problem in E{F) is the basis of a cryp- 
tosystem, it is important that N has certain properties, e.g., that it is divisible by or 
equal to a large prime number, whereas the precise value of g = ^^F is less relevant. 
In this case one needs a solution to Problem 2, not to Problem 1. The observation 
is not new, and both problems occur in the list of problems in the introduction of 
[15] that 'can be solved'. 

The main result of this paper is that, even though no efficient solution to Prob- 
lem 1 is known. Problem 2 does admit such a solution if N is provided to the 
algorithm in factored form. For practical applications, such as those in elliptic 
curve cryptography, it is unlikely that one will need or want to use elliptic curves 
for which the factorization of the group order is unknown, so requiring the factor- 
ization of N to be part of the input is not a severe restriction. Our solution to 
Problem 2 for factored orders N is almost polynomial time, provided that one is 
willing to assume a number of 'standard heuristic assumptions' that we will make 
explicit in Section 4. 

Main Theorem. There exists an algorithm that, on input of an integer N > 1 to- 
gether with its factorization, returns a prim,e number p and an elliptic curve E/Fp 
with ^E(Fp) = N whenever such a pair {E,p) exists. Under standard heuristic 
assumptions, a pair {E,p) exists for all N, and the expected run time of the al- 
gorithm is polynomial in 2^^^^ logN . Here uj{N) denotes the number of distinct 
prime factors of N. 

Although the run time in the Main Theorem is not polynomial in the usual sense, it 
is polynomial in log N outside a zero density subset of Z>i consisting of very smooth 
input values N. Note that such N are not used in cryptographic applications, as 
the discrete logarithm problem in groups of smooth order tends to be easy. 

Corollary. If the input values N in the Main Theorem are restricted to be prime 
numbers or, more generally, to be in the density 1 subset o/Z>i consisting of those 
N having U!{N) < 2 log log A'', then the expected run time is polynomial in log A. 
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The factorization of N is used by the algorithm in the Main Theorem to reduce 
square root extractions of small integers modulo N to square root extractions mod- 
ulo the prime factors of N. It is here that the approximate number 2'^^^^ of such 
roots enters the run time of the algorithm. The precise exponents in the run time 
depend on one's willingness to accept fast multiplication techniques and proba- 
bilistic subroutines in the algorithm. For instance, the square root extractions of 
small integers modulo the prime factors of N can be done efficiently by probabilis- 
tic means or, much less efficiently, but still in time polynomial in 2^^^^ logN, by 
a deterministic algorithm [20]. Similarly, one may require for the prime number p 
returned by the algorithm that its primality is proved by a deterministic AKS-type 
polynomial time algorithm, or employ a faster probabilistic algorithm to do so. If 
we insist on guaranteed correct output, i.e., a proven prime p as the characteristic of 
our curve E, but allow fast multiplication and probabilistic subroutines of the kind 
mentioned above, the heuristic run time of our algorithm is 0{2^'^^\logN)^+^) 
for every £ > (Corollary 4.4.). In the cryptographically relevant case where N is 
prime [19, 14], this becomes 0((logiV)'^+^) (Corollary 4.2). 

It should not come as a surprise that our solutions to Problem 2 are elliptic 
curves defined over prime fields. Indeed, it is easy to see that the union of the Hasse 
intervals Tiq over the prime powers q that are not primes is a zero density subset 
of Z>i. Solvability of Problem 2 for all values of N is therefore in an informal sense 
'equivalent' to the fact that the union of the Hasse intervals Hp over the primes p 
contains Z>i. Defining the Hasse interval around arbitrary integers q by formula 
(1.1), we have the equivalence 

N EHq^qeHN, (1.2) 

and we see that we want every Hasse interval Hn around an integer N to contain a 
prime number p. This amounts to the statement that the size of the 'gaps' between 
consecutive primes around does not exceed A^/N. Although prime gaps of this 
size are not believed to exist, the best proven upper bound on their size [2] is 
currently 0(A^"), with a = .525 > |. Even under assumption of the generalized 
Riemann hypothesis, the best result [12, Theorem 12.10] is only 0{N^^'^logN). 
This means that we have no proof that Problem 2 is solvable for all N, and already 
for this reason a rigorous run time analysis for our Main Theorem is out of reach. 

By the prime number theorem, we expect one out of every log N integers around 
N to be prime, so the Hasse interval Hn of length 4\/iV around N will normally 
contain many primes p. In practice, there is always an abundance of primes p for 
which there exist elliptic curves E/Fp of order N, and it seems extremely unlikely 
that the number of primes in TYat, which grows 'on average' as 0(A^i/2), wiU be 
zero for some A^. The real task of our algorithm is therefore not so much to find a 
prime p E Hn, but rather to find a prime p G TYjv for which a curve E/Fp of order 
N can be constructed efficiently. In Section 2, we show how this leads to a new 
Problem 3, whose efficient solution yields an efficient solution of Problem 2. 

Section 3 describes an Algorithm that solves our Problem 3 and finds a suitable 
prime p e Tijv- Its heuristic run time is derived in Section 4. It is based on various 
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unproved but reasonable statements, such as the fact that random integers in Hn 
will be prime with probability 1 / log N. We also present numerical evidence for such 
unproved statements. In the case where N is prime, the heuristic arguments are 
very similar to those going into the analysis of the elliptic curve primality proving 
algorithm ECPP [17]. 

Section 5 comments on an efficient implementation of the Algorithm to solve 
Problem 2. It illustrates its practical applicability by treating as examples 'random' 
values of N such as iV = 10^°°^ and N = nextprime(10200^) = 10^°°^ + 4863. 

2. Complex multiplication constructions 

Although much in this section generalizes to arbitrary prime powers g, we now focus 
on the case relevant to us, where g = p > 3 is a prime number and G Tip an 
integer that we want to realize as the order of some elliptic curve E/Fp. 

Constructing an elliptic curve E/Fp having N points roughly comes down to 
computing the j-invariant j{E) G Fp of such a curve, and the theory of complex 
multiplication provides a deterministic way of doing so. If we write N — p + 1 — t, 
then E/Fp has ^E{Fp) = A if and only if the Frobenius morphism Fp of E satisfies 
the quadratic relation 

F^-tFp+p = (2.1) 

of discriminant A = t^-4p < in End(£;). If Fp satisfies (2.1), then Z[Fp] C End(E) 
is isomorphic to the imaginary quadratic order Oa of discriminant A, and Fp 

corresponds to the element tt = ^'^^ G Oa of trace t and norm p. Unless we are in 
the supersingular case t = having A = — 4p, which is too special to be of interest 
here, this means that p = nn splits into principal primes in OA- 
Over the the field C of complex numbers, it is a classical result that the iso- 
morphism classes of elliptic curves having endomorphism ring isomorphic to Oa 
correspond to the classes of invertible CA-ideals in the class group Pic(OA) of the 
order Oa- Invertible OA-ideals can be viewed as lattices in C, and the j-invariants 
of these lattices are precisely the j-invariants of the elliptic curves having endomor- 
phism ring isomorphic to Oa ■ It follows that we can evaluate these j-invariants as 
values of the modular function j : H C in points tq in the complex upper half 
plane H representing the ideal classes [Q] G Pic(OA)- More precisely, if we repre- 
sent the ideal classes of Pic(CA) in the standard way [7, Section 5.2] as reduced 
binary quadratic forms Q = aX"^ + hXY + cY'^ of discriminant iP' — Aac = A, we 
have Tq = ~^2a^ ' '^^^ class polynomial 

Pa= n {x-j{TQ))eZ[x] 

[Q]ePic{0^) 

has integer coefficients, so it can be computed exactly from complex approximations 
of the i{rQ). In the ordinary case t 7^ 0, the reduction modulo p of the class 
polynomial Pa splits into /i(A) = #Pic(CA) distinct linear factors in Fp[A], and 
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the roots are the j-invariants of the eUiptic curves over Fp having endomorphism 
ring isomorphic to Oa- If jo 7^ 0, 1728 is one of these zeroes in Fp, then the curve 
Ea/Fp with Weierstrass equation = + aX — a has j-invariant jo if we choose 
a to satisfy 

4a 

jo = 1728- — , 

4a + 27' 

and its number of points is either N = p+l — t or p+l + t. We easily check in which 
case we are, by point counting or by simply evaluating N ■ P and {p + 1 + t) ■ P 
for the point P = (1,1) on Ea- If the order is we are done; if not, then the 
quadratic twist — X^ + (ig^X — ag^ of E^,, with g a non-square in F*, solves 
our problem. In the special cases jo = 0, 1728 that we disregard here, there are a 
few more quadratic twists to consider - see Example 5.2. 

Most of the work in the complex multiplication method goes into the computa- 
tion of the class polynomial Pa- As the degree of Pa and the size of its coefficients 
both grow like |A|^/^ for A —00, the run time can be no better than 0(|A|). 
This is the actual run time [9] for the classical analytic approach using the mod- 
ular function j : H — > C. The same is true for the more recent non-archimedean 
approach [5, 8] to the evaluation of Pa, which approximates the roots of Pa by a 
Newton iteration process over for a suitable small prime £. For both methods, 
it is possible to reduce the run time by sizable constant factors if one replaces the 
j-function by 'smaller' modular functions [11, 23, 4]. This is very important from 
a practical, but not from a computational complexity point of view. 

In the complex multiplication method, one can save some work by computing 
the class polynomial Pd for the fundamental discriminant D = disc(Q(\/A)) rather 
than that for A itself. As p = tct: G Oa splits in the same way in the maximal order 
Od ^ Oa as it does in Oa, elliptic curves over Fp with endomorphism ring Od 
are just as good for our purposes, and we may everywhere replace A by D in the 
algorithm. If A has a large square factor, this can be a considerable improvement 
since the polynomial Pd is then much smaller than Pa- 

If we apply the complex multiplication method to solve Problem 1, we have no 
control over the discriminant 

A = A{p, N) = t^ - Ap = {p+1 - Nf - 4p, (2.2) 

which will typically be of the same order of magnitude as N and without large 
square factors. In that case, the resulting run time 0{N) is inferior to the (D{N^/'^) 
of the naive probabilistic method. 

For Problem 2, the situation is different as only is then given as input, and we 
typically have many primes p G TYat to choose from. An obvious thing to do here 
is to choose p G Hn as close as possible to the end points of the interval, so that 
the absolute value of the trace t = p + 1 — N differs from 2^ by a small amount. 
By the prime number theorem, we expect to be able to find p for which \t\ — 2^ 

is of size log A^. This makes A = — 4p of size 0(A^^/^), and reduces the run time 
of the algorithm to 0{N^/'^), just as for the naive probabilistic method. 
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More generally, one can examine which primes p at distance at most from the 
end points of Hn give rise to values of A with large square factors. Heuristically, 
there are about N°'/\ogN such primes, giving rise to discriminants of size A^"+^/^. 
Among the discriminants of this size, those of the form A = f^D with \D\ < 
constitute a fraction of order of magnitude 



|D|<iV^ squarefree ' 

The number of discriminants A = f^D with |i^| < we expect to find from p's 
no further than A'"'* from the end points of Hn is therefore 

^ '^^ logA^ logA^ 
which tends to infinity with exactly when we have a + P > 1/2. Rough as 
this heuristic analysis may be, it 'explains' why in the example A^ = lO"^*^ given 
in [5, Section 6] to illustrate the non-archimedean approach to computing class 
polynomials, examining the primes p at distance < 10^ from the end points ofTi.N 
leads to a fundamental discriminant D ^ —10^. As examining the primes in an 
interval of length A^" to achieve \D\ < gives rise to a run time 0(A^"^^^^"'^>), 
we can achieve a heuristic run time 0{N^~^^) by taking a — P — | + £. Although 
this is still exponential, this method of selecting p already enables us to deal with 
values of A" the naive method cannot handle. 

The extreme case (o;,/?) = {e, 1/2) corresponds to taking p as close as possible 
to the end points of TYtv, a case we already discussed. The other extreme (a, /3) = 
(1/2, e) indicates that it should be possible to find D of subexponential size in 
terms of our input length logA^. This suggests that a fruitful approach to solving 
Problem 2 by the complex multiplication method consists in efficiently minimizing 
the fundamental discriminant D involved. 

It turns out that we can actually determine the 'minimal' imaginary quadratic 
fundamental discriminant D that can be used to construct an elliptic curve of order 
AT in a relatively straightforward way. It uses the 'symmetry' between the order AT 
of the point group E{F) and the order q = p oi F itself, which are norms of the 
quadratic integers 1 ~ tt — 1 — Fp and tt = Fp, respectively. This symmetry is 
already familiar to us from (1.2). In the case of the discriminant A = (tt — 7f)^ = 
((1 - tt) - (1 - 7r))2 in (2.2), it takes the form 

A{p, N) = {p + 1- N)^ -4p^ {N + l-pf - m. 

We now fix A" and try to write A = A{p) as 

A{p) = {N + l-pf -4N ^ fD (2.3) 

for 'small' D < 0. This comes down to solving the positive definite equation 

x^-Df = AN (2.4) 

in integers x and / in such a way that the number p = N + l — xis prime. This 
leads us to the following problem. 
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Problem 3. Given an integer N > 1, find the smallest squarefree integer d > 1 
together with an algebraic integer a & K = Q{-\/—d) such that 

(i) NK/Qia) = N; 

(ii) p = Nk/q{1 - a) = N +1- Ttx/qIq;) is prime. 

The prime p occurring in condition (ii) has the property that there exists an eUiptic 
curve E/Fp having points and endomorphism ring End(i?) isomorphic to the ring 
of integers Ok of K — Q{\/—d). Once we find the solution (a, d) to Problem 3, we 
can use it to solve Problem 2 for that same N: take p = Nx/q{1 — a) and construct 
an elliptic curve over Fp with endomorphism ring Ok for which 1 — a e Ok is 
the Frobenius, using the class polynomial for the order Ok- This elliptic curve will 
have N = Nk/q{oc) points, as desired. 



As indicated in the introduction, it is not possible to prove rigorously that any pair 
(a, d) meeting the conditions of Problem 3 exists at all, let alone that there is a 
pair with small d that can be found efficiently. We will however argue in the next 
section why it is reasonable to expect that the smallest integer d solving Problem 3 
exists for all > 1, and why this d is even rather small in terms of A^, of size at 
most 0((logA^)^ +2^*^^^). Given this expectation, it makes sense to solve Problem 
3 in a straightforward way using an algorithm that, on input of a factored number 
N, tries for increasing squarefree numbers d e Z>i to 

- find the integral ideals in = Q{V—d) of norm N; 

- determine the generators of those ideals that are principal; 

- test for each generator a found whether Nk/ci{1 — a) is prime. 

As soon as a prime value p = Nk/q{1 — oc) is encountered for some d, this is the 
minimal d we are after, and (a, d) is a solution to Problem 3. 

Before we describe an actual algorithm, we look at the three individual tasks to 
be performed, and the nm time of the various subroutines involved. These run times 
depend on the time 0(L^+'^) needed to multiply two L-bit integers. We have = 1 
for ordinary multiplication, and = e > for any fast multiplication method. We 
will give our run times using = e > 0. 



Then every ideal of norm N in Z[a;] can uniquely be written as /c/, with k a positive 
integer for which k"^ divides AT, and / a primitive ideal of Z[u;] of norm A^o = N/k"^. 
This last condition means that 'Zi[(jj]/I is cyclic of order A^o, and it implies that we 
have / = {Nq^lv — r) for some integer r G Z satisfying /(r) = mod A'q. Finding 
all ideals of norm A" therefore amounts to finding, for each square divisor k'^\N, 



3. An Algorithm to solve Problem 3 





if — d = 1 mod 4; 
otherwise. 



(3.1) 



8 



REINIER BROKER, PETER STEVENHAGEN 



the roots of / modulo Nq = N/k'^. It is here that we need to have the factorization 
of N at our disposal, not only because this implicitly encodes a list of square 
divisors k'^\N, but also because it enables us to find the roots of / modulo Nq. 
Indeed, finding these roots is done by finding the roots of / modulo the prime 
powers p'^^^p(^o) dividing A^o, and combining these in all possible ways, using the 
Chinese remainder theorem, to obtain the roots modulo A^o- Note that / has no 
roots modulo A^o if -^o is divisible by a prime p that is inert in Z[a;], or by the 
square of a prime p that ramifies in Z[uj]. 

As finding a root of / modulo an integer essentially amounts to extracting a 
square root of —d modulo that integer, we need to extract square roots of —d modulo 
the prime powers dividing Nq. This easily reduces to extracting square roots of —d 
modulo each of the primes dividing A^o- This can be done efficiently by employing 
a variant of the (probabilistic) Cantor-Zassenhaus algorithm [10, Section 14.5], and 
leads to an expected run time 0{{logp)'^~^'^) to extract square roots modulo a prime 
p. For any selection of square roots {y/—d mod p'^^'^pi^o)'^^ Chinese remainder 
theorem lifts these to a square root modulo A^o in time 0(a;(A^)(log A^)^). 

Task 2: Finding generators for principal ideals of norm N . 

For each ideal kl = k-{NQ,uJ—r) C Z[c<;] of norm A^ found, we use the 1908 algorithm 
of Cornacchia described in [21, pp. 229-232] or [6] to find a generator of /, if it exists. 
This algorithm performs a number of steps of the Euclidean algorithm to the basis 
elements A^o and a; — r of the Z-lattice / = {Nq, ui — r) C Z[a;] in order to decide 
whether / is a principal ideal. If it is, a generator a — kao of kl of norm N is found. 
The other generator of / is —a. For the special values d = 1 and d = 3 there are 
4 and 6 generators for each principal ideal /, respectively, obtained by multiplying 
a by 4th and 6th roots of unity. The run time of Cornacchia's algorithm on input 
k ■ iNo,u;- r) is of order 0{{\ogNf+^). 

Task 3: Testing which algebraic integers a of norm N lead to prime elements 1 — a. 

For each of the elements a of norm A^ found in the previous step 2, we need to 
test whether the norm A'^ + 1 — Tr(Q:) of 1 — o: is a prime number. As most a's will 
have norms that are not prime, a cheap compositeness test such as the Miller-Rabin 
test (which takes time OilogN)) can be used to discard most a's. Once we find 
a for which N -\- 1 — Tr(Q:) is a probable prime, we do a true primality test to 
prove primality oi p = N -\- 1 — Tr(a). This can be done deterministically in time 
polynomial in logA^ by the 2002 result of Agrawal, Kayal and Saxena [1]. Recent 
speed-ups of the test [16] take time 0((log A^)^+'^), whereas probabilistic versions 
[3] have expected run time 0((log A'")^"''^). 

Using the various subroutines specified in the tasks above, we formulate an Al- 
gorithm to solve Problem 3. A slightly more practical algorithm that we use to 
actually find elliptic curves with a given number of points does not exactly follow 
the outline below; it is discussed in Section 5. The version in this section is phrased 
to facilitate the heuristic run time estimate in Section 4. 
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Input: a factored integer N = Y[l=iPj^ ■ Output: a solution (d, a) to Problem 3. 

1. Put d^l. 

2. If d is not squarefree, put d <— ci+ 1 and go to step 2. Otherwise, define uj = Ud 
and / = /q as in (3.1). 

3. Determine the splitting behavior in of all prime divisors of N. 
3a. For every prime divisor pi of N that is inert in Z[u>], put 

in case is even. In case is odd, put d ^ d + 1 and go to step 2. 
3b. For every prime divisor pi of N that ramifies in Z[a;], put 

4. Put A''! <— N/kf. For every root (r mod A^i) of / and for every square divisor 
/c| I A''! do the following. 

4a. Put k ^ kik2 and A^o N/k"^ = Ni/k^. Use Cornacchia to find a generator 

of {Nq,iv — r) C Z[a;], in case it exists. 
4b. If a generator is found, test for all (2, 4 or 6) generators ao whether the 

norm A'" + 1 — Tr(A;Q:o) of kao G Z[a;] is prime. If it is, return d and a — kao 

and halt. 

5. Put d d + 1 and go to step 2. 

The determination of the splitting behavior of the primes Pi\N in Z[u] in Step 3 
amounts to computing the Kronecker symbol (^) for D = disc(Q(-\/^)). For 
p > 2 this is simply the Legendrc symbol, which is easily evaluated by combining 
quadratic reciprocity with the Euclidean algorithm. The factor ki computed in this 
step is the minimal 'imprimitivity factor' dividing all ideals of norm in Z[c<;]. It 
reflects the fact that primitive ideals are not divisible by inert primes, or by squares 
of ramified primes. 

The evaluation of the roots of / modulo A^^i in Step 4 is done by evaluating 
the roots of / modulo the various prime powers dividing A^i, and combining these 
in all possible ways using the Chinese remainder theorem. For the ramified primes 
Pi dividing A^i, which occur with exponent 1, there is a unique (double) root of / 
modulo p. For splitting primes pi, the polynomial / has exactly 2 different roots 
modulo Pi, and these lift uniquely to Zp. Finding the roots of / modulo these pi is 
non-trivial as it involves the extraction of a square root \/—d modulo pi. Refining 
these roots to roots modulo is much faster, and an easy application of Hensel's 
lemma. The number of distinct roots modulo A'^i is 2* < 2'^*^^^ with s the number 
of pi\N that split in Z[a;]. 

Step 4 computes the possible generators of the primitive parts of ideals of 
norm A^ in Z[lj]. It is not completely optimized as it does not take into account 
that different roots of / modulo A^i may coincide modulo A'o, and give rise to the 
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same ideal {NQ,u; — r) in Step 4a. It also unnecessarily treats the complex conjugate 
{No,Lij — r') of every ideal {Nq^oj — r), whose generators (if any) are of course the 
complex conjugates of the generators of {Nq^oj — r). 

4. Heuristic run time analysis 

In this section, we present a heuristic run time analysis of the Algorithm in the 
previous section, and numerical data supporting this analysis. 

Assumption 1. For the elements a — kao G Z[a;] of norm N that we find in Step 4a 
of our Algorithm, the norm of 1 — cu will be an element of the Hasse interval TIn that, 
apart from being congruent to 1 mod k, does not appear to have any predictable 
primality properties. Based on the prime number theorem, a reasonable assumption 
is therefore that for varying d, r and Nq, the norms found in Step 4b will be prime 
with 'probability' at least 1/ log A^. In other words, the number of times we expect 
to execute Step 4b of our Algorithm before we find a prime value is of order of 
magnitude log A". 

Assumption 2. The input for Step 4b is provided by Step 4a, which finds the gen- 
erators of those ideals of norm N in Z[u)] that are principal. The likelihood for a 
'random' ideal in Z[u)] to be principal is 1/hd, with hd the class number of the ring 
of integers Z[a;] C Cl{^/—d). As we have no indication that the primitive ideals of 
norm Nq arising in Step 4a behave differently from random ideals in Z [lo] , it seems 
reasonable that they will be principal with 'probability' around 1/hd- 

The class number hd behaves somewhat irregularly as a function of d, but its growth 
rate (i2+°(i) was already found by Siegel. In order to bound the number of times 
we execute the steps 4a and 4b, wc need to bound the integers d we encounter in 
Step 2, i.e., to find an upper bound Bj^ for the minimal integer d that occurs in a 
solution to Problem 3. Clearly, such an upper bound will be of heuristical nature, 
based on the two 'randomness assumptions' above. As our Algorithm consists of a 
loop over d = 1,2,3,..., and d has to be factored in Step 2 to find if it is squarefree, 
the value of Bn is of great importance in estimating the run time, and the success 
of our method depends on S^v being 'small' as a function of N. 

Elliptic curves of prime order. In the case our input number N is prime, 
our Algorithm is similar to the first step of the elliptic curve primality proving 
algorithm ECPP. On input N, this algorithm looks for an imaginary quadratic 
field K of small discriminant containing an element a of norm N with the property 
that A^/q(1 — a) = N + 1 — Tr^/Q(a) is twice a probable prime number N'. If 
a G -ftT is found, N becomes the order of the finite field F and 2N' the number 
of points of an elliptic curve over F. As ^^^F and ^E{F) occur symmetrically in 
all considerations, this problem is almost identical to our Problem 3. In fact, since 
finding a prime around a large number N is heuristically just as difl&cult as finding 
twice a prime around N, the heuristic run time for our Algorithm on prime input 
N is identical to the heuristic run time for the first step of ECPP on input N. In 
accordance with the results in [17, Section 3], we obtain the following. 
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4.1. Theorem. Let N be a prime number. Under the heuristic Assumptions 1 
and 2, the integer d solving Problem 3 is of size 0{{\ogN)^), and our Algorithm 
can be expected to find it in time 0{{\ogN)'^'^^). 

4.2. Corollary. Under the heuristic Assumptions 1 and 2, Problem 2 admits a 
solution in time 0{{\ogN)^'^^) for prime values of N. 

Proof of 4.2. We first use our Algorithm to find d, a andp = N — 1 + Ti{a) solving 
Problem 3 for N; the time 0((log A^)^+'^) needed for this dominates the steps that 
follow. We then construct the class polynomial Pd for D = disc(Q(\/— (i)) in time 
0{d) = 0((logA^)^). As Pd has degree hd ~ V^, finding a root j of Pd in Fp 
takes time 0(deg(Pd)(logp)^) = 0((logA^)^) [10, Section 14.5]. An elliptic curve 
E with j-invariant j and its quadratic twist E' will have N — p + 1 — Tr{a) 
or p + 1 + Tr{a) points. Matching the group order with the curve can be done 
efficiently by determining which of the two quantities annihilates random points on 
the curve. We know that only one of them does for either E or E' for all p > 229 
by [21, Theorem 3.2]. □ 

Proof of 4.1. For prime input A^, our algorithm is rather simple. For increasing 
values of d, it singles out those d for which N is not inert in Z[uJd] in Step 3; in 
Step 4, it computes the primes over N in Z[uid] and determines whether these are 
principal with a generator a for which 1 — a is a prime element. 

The ring Z[ud] contains elements a of norm N if and only if N splits into 
principal primes of norm N. For primes N coprime to 2d, this means that N has to 
split completely in the Hilbert class field Hd of Q{^/—d). Our Assumption 2, which 
states that primitive ideals of norm N should be principal in Z[u>] with 'probability' 
1/hd, now reminds us of the Chebotarev density theorem, which tells us that one 
out of every 2hd = [Hd '■ Q] primes splits completely in Hd- For d > 3, it leads 
us to expect with 'probability' l/{2hd) that there are (up to conjugation) exactly 
two integral elements a and —a of norm N. With complementary probability 1 — 
{2hd)~^, there are no elements of norm N. Thus, a value d can be expected to yield 
an 'on average' number of 1/hd elements of norm N. 

The average statement that the number of algebraic integers a e Q{V—d) of 
norm N is asymptotically a fraction 1/hd of the pairs [d, N) tried is implied by 
Chebotarev's theorem in case we fix d and let the prime vary. We are however in 
the case where N is fixed and d varies. This is certainly different, but for varying 
d up to a bound B that is small with respect to N, it is Assumption 2 that we 
will find approximately Yld<B ^/^d elements of fixed norm N. This is reasonable, 
provided that the fields Hd are 'close' to being linearly independent over Q. 

It is not exactly true that the Hilbert class fields Hd for the squarefree integers 
d < B we encounter form a linearly disjoint family of number fields: the genus 
fields Gd C Hd have many non-trivial intersections. However, in this family of 
fields, which has about (6/7r^)i? elements, there is a subfamily of fields Hd coming 
from the prime numbers d = 3 mod 4 that is linearly disjoint over Q. This follows 
from the fact that for these primes d, the field Hd is ramified only at d, so every 
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field Hd is linearly disjoint from the compositum of the other fields Ha in the 
subfamily. As the given subfamily has asymptotically B/{2\ogB) elements, we can 
treat the family of fields Hd with d < B as being linearly independent at the cost 
of allowing for lower order (logarithmic) factors in our estimates. We can estimate 
the asymptotic size of the sum J2d<B ^/^d for squarefree d < B to he a positive 

constant times Eo<d<B ^ lo Vt = 

We find that for B tending to infinity, Assumption 2 implies that the number 
of elements of prime norm N coming from d < B is bounded from below by some 
universal constant times \/B/\ogB. By Assumption 1, we expect to need about 
log elements of norm N in Step 5b. Thus, for prime values N tending to infinity, 
the size Sat of the minimal d solving Problem 3 can be expected to be of size 
0((log A)^). Note that Bn is small with respect to A, as required in our heuristical 
argument. 

For the run time of the algorithm, we obtain 0((log A)'^+^) exactly as in [17]. 
The main term in the run time comes from computing 0((logA)^) values of 
\/—d mod A, which each take time 0((log A)^"*"*^), and from proving (as in [3]) that 
the output is correct, i.e., that we have found a of norm A for which A + 1 — Tr{a) 
is indeed prime. □ 

Numerical support. The table below shows the number of solutions x,y E Z>i to 
the equation + dy^ — 4A for d ranging over the squarefree integers d E [I, B] 
for various B. For A we took the 5 primes following 10^^^ and 10^°°. Note that the 
spacing of primes around 10^°° and 10^°° is in accordance with Assumption 1. 



IN 


B 


1000 


4000 


16000 


64000 


Pi = 


IQioo + 267 


30 


57 


125 


232 


P2 = 


IqWO ^ 


41 


87 


161 


304 


P3 = 


IQioo + 1243 


22 


51 


93 


173 


PA = 


IQioo + 1293 


39 


72 


145 


316 


P5 = 


10^°° + 1983 


29 


57 


123 


245 


Ql = 


10200 + 357 


46 


91 


190 


354 


<12 = 


10200 ^ g27 


24 


51 


98 


210 


13 = 


10200 ^ 799 


24 


47 


90 


184 


Qa = 


2Q200 ^ 2849 


47 


81 


170 


376 


Q5 = 


10200 + 2569 


73 


140 


275 


532 



We see that the growth rate is indeed roughly proportional to cjva/S, for some 
constant c^: the numbers double if we quadruple B. 

The data show that the size of A, when large with respect to -B, is irrelevant: 
only the class of the primes over A in the class group of Z[a;] is important, not the 
size of A. 

Figure 1 below shows the number of solutions for p2 and ps- Inspecting the data, 
we see that the growth rate is indeed close to \/B. The fiuctuation in the graphs 
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is caused by the somewhat irregular behaviour of h^- On a logarithmic scale, the 
graphs do look like straight lines with slope 1/2, see Figure 2. 




Figure 1 Figure 2 



There are clear differences in the constants cat for various N. These can be explained 
by looking at the contributions coming from composite d, which we could afford to 
neglect in our analysis, but which play an important role in practical situations. For 
solvability of (2.4), it is clear that N has to be a square modulo all primes dividing d. 
For even d, we also have the condition (^) = 1. If we have (^) = 1 for many small 
primes p, there will most likely be more composite d yielding solutions to (2.4). The 
most striking difference in the table occurs for ps and . Looking at the Kronecker 
symbols (y) for the first eight primes p < 20, we only have (^) = — lforp = 3,ll. 
For p3 this occurs for p — 2,3, 5, 13, 17. This explains why 'outperforms' ps. The 
differences in the constants cn disappear if we only consider primes d = 3 mod 4 
in our table. For ps we get 53 solutions up to S = 64000 in this case and for gs we 
get 50 solutions. 

Whereas the number of generators of norm N found in Step 5a for d < B 
increases regularly, and roughly proportional to \/B, Assumption 1 tells us that 
the number of times we have to test for primality in Step 5b before we hit a 
prime number is log A'' on average. As a consequence, we expect that the minimal 
d = d{N) solving Problem 3 is of size 0((log A)^+'^), but not that d{N) increases 
very regularly with N for prime values N. For instance, the primes pi and ps above 
have rather similar curves exhibiting the number of solutions found in Step 5a, but 
the corresponding minimal discriminants 643 and 303267 are quite far apart: they 
are the smallest and largest values found for the pj. However, the average value 
of d for the first 100 primes larger than 10-*^°° and the first 100 primes larger than 
10^00 are 82170 ^ (log(10ioo))2 °8 and 396030 ^ (log(10200))2-io^ respectively. Their 
quotient 4.8 is not too far from the factor 4 we expect. 

Elliptic curves of arbitrary order. The Assumptions 1 and 2 at the beginning 
of the section also provide a heuristic run time analysis for arbitrary input N. 

Assume first that is squarefree, say N = Yl^li^'^ Pi with pi prime. In Step 3a, 
all d are discarded for which one of the primes pi is inert in Z[a;d], so we will only 
be working in Step 4 with those d for which none of the a; (A) Kronecker symbols 
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(g) equals -1. This can be a set of integers of density as small as 2 '^^^'> inside the 
set of all squarefree integers, and in case N is in the zero-density subset of integers 
satisfying the equivalent inequalities 

> {logNf ^ u;{N) > ^^loglogA^ = 2.88539 log log iV 

it is clear that we can no longer expect the integer d solving Problem 3 to be of 
size at most (logA^)^+'^. 

Despite the scarcity of suitable d for large values of u){N), it is still the case that 
we expect the number of elements of norm N coming from d < B to grow at least 
as fast as some universal constant times \/B/\ogB if B tends to infinity. Indeed, 
looking as before at the prime numbers d = ?> mod 4 (not dividing N) up to B, we 
sec that there are ideals of norm only for a fraction 2"^^^) of them. However, for 
each d meeting the uj{N) quadratic conditions, the number of ideals / of norm N 
equals 2'^^'^): we can take / = Hi^i^'* Pi; with pj one of the two primes dividing pi 
in Z[a;d]. This means that the growth with B of the number of ideals of norm N 
coming from d < B is independent of the value of u{N): with increasing u!{N) they 
occur for fewer d, but the decrease in contributing d is exactly compensated by the 
number of ideals provided by such d. Our expected number of elements of norm N 
coming from d < B is therefore unchanged with respect to the case of primes N 
discussed before. 

The problem with the asymptotic growth y/B/logB of elements of norm N 
coming from a thin subset of d < B is that B may have to be large to observe this 
growth rate: clearly the expected number 2~^^^^B of contributing d < B should 
not be too small. As we want to take B pa (logA^)^, we can only use our previous 
estimate for the expected size of the integer d solving Problem 3 in the case 2'^^^^ <^ 
(logAT)^. In the 'opposite' case 2"^^^^ ^ (logA/")^, finding a single quadratic ring 
"Zlojd] in which all primes Pi\N split completely is what the Algorithm needs to 
achieve: there will be 2^*^^^ ideals of norm in this ring, of which Assumption 2 
tells us we can expect 2^^^^/hd ~ 2^^^^ /\fd to be principal. As the smallest d 
satisfying the ui{N) quadratic conditions imposed by the pi is expected to be of 
order of magnitude 2^^^\ we will find 2^^^^/'^ ^ log A/" elements a of norm N in 
Z[a;(i]. By Assumption 1 this will lead to a prime element 1 — a. 

4.3. Theorem. Under the heuristic Assumptions 1 and 2, the integer d solving 
Problem 3 is of size 0{{\ogNY + 2'^^^^), and our Algorithm can he expected to find 
it in time 0(2'^(^)(logiV)^+^). 

4.4. Corollary. Under the heuristic Assumptions 1 and 2, Problem 2 admits a 

solution in time C>(2'^(^)(log A^)'^+^). 

Proof of 4.4. Analogous to the proof of 4.2. □ 

Proof of 4.3. We saw that for squarefree N , the size of the integer d solving 
Problem 3 is of size 0((logiV)2) in case 2"(^) is smaller magnitude. If it is bigger, 
the term 2'^*^'^^ becomes dominant and determines the expected size 0(2'^''^^) of d. 
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If N is not squarefree, the Algorithm has an increased number of possibihties 
to find ideals and elements of norm N for each value of d. Primes occurring to even 
exponents are no longer an obstruction if they are inert in Z[tt;d]: they get absorbed 
in ki in Step 3 and no longer occur in A^i in Step 4. Splitting primes occurring 
to higher exponents lead to square divisors k2\Ni in Step 4, and to various ideals 
(A^o, — r) that can be tested for principality in Step 4a. The extra ways to find 
elements of norm N is an advantage as it will lead to a smaller bound Bn for the 
minimal d solving Problem 3. In particular, will be of size 0((log AT)^ + 2'^^^)) 
for all N. 

In order to estimate the run time of the Algorithm, we observe that by As- 
sumption 1, Step 4b will be executed about log A" times until a probable prime 
norm is found, and a true primality proof taking expected time 0((logA)^+^) is 
needed. This is the dominant term in the time spent on Step 4b. The number of 
times Cornacchia's algorithm is executed in Step 4a to yield the log N generators 
going into Step 4b is by Assumption 2 no more than 0{\/Bn log A), as the class 
numbers for d < Bn are no bigger than y/B^. As Cornacchia's algorithm takes 
time 0((logA)^+^), we expect to spend time 0("/B^(log A)^+=) in Step 4a. 

In order to find the roots (r mod Ai) of / in Step 4, we first extract the square 
roots ^/—d modulo each of the primes pi that split in Z[a;d], in time at most 
0(a;(A)(log A)^"*"*^). For each choice of square roots, there is a root (r mod Ai) of / 
that can be found using the Chinese remainder theorem, in time a;(A) (log A)^. Each 
time we apply the Chinese remainder theorem, we use the root (r mod Ai) obtained 
in Cornacchia's algorithm in Step 4a. The number of times we apply the Chinese 
remainder theorem is therefore bounded by the number of times 0{\/Bn log A) we 
apply Cornacchia's algorithm. We find that the total time spent on finding roots 
(r mod Ai) is no more than 0(\/i?ivc<;(A)(log A)^). Taking all parts of Step 4 to- 
gether, the total time spent in Step 4 becomes 0{\/B noj (A) (log A) ^+^) . This is 
0((log A)^+^) in the case 2'^(^) < (log A)^, and 0(2'^(^)/2(log A)^+^) in general. 

Outside Step 4, no substantial computing is done, only some administration for 
the relatively small integer d, which takes values up to Sat- In cases where Bjy is of 
order of magnitude 2^^*^^) ^ (log A)^, doing this administration is not negligeable 
because of the large number of values taken on by d. Taking this into account, we 
find that the heuristic run time is bounded in all cases by 0(2'*'(-^)(log A)^+^). □ 

Numerical support. Figure 3 below shows how the number of solutions x,y G Z>i 
to the equation x'^ + dy^ = 4 A for d ranging over all squarefree integers d e [1, -B] 
varies with B for different number uj{N) of prime factors of A. The graphs are 
given for A = Ai, A2, A3, Aio, where A^ is the product of the first k primes larger 
than 10^°. 

We see that the graphs for Ai, A2 and A3 behave quite similarly. This is what 
we expected if the number of solutions is independent of a; (A). The graph for Aio 
appears to be quite different from the others, and this is because 2'^*-^i°-' = 2^^^ = 
1024 is here of the same order of magnitude as the values of B in the graph. There 
are here fewer d for which we have a solution to -|- dy^ = 4Aio, but if we do have 
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a solution, we immediately get many. For instance, the first 'jump' in the graph 
occurs for the prime value d = 1949 and we get 28 solutions for this d. This is in 
nice accordance with the heuristics, which tell us to expect the first solutions to 
occur for around d ft; 2^^ = 1024, and to be about 2^ = 32 in number. 




Figure 3 Figure 4 

The irregularity of the graph for A'^io disappears if we look at values of B that are 
large in comparison to 2^^^^^°^ Figure 4 shows the graph for A'^io for B up to 10^. 
It is now similar in nature to that of Ni, and exhibits the familiar \/S-profile. 

The graph in Figure 5 below illustrates the dependence on the number of square 
divisors of A^. It shows the number of solutions for Ni, 3^ • A^i, 3^ • 5^ ■ A^i and 
32 . 52 . y2 . If jy ]^g^g square divisors, we potentially test the principality of more 
ideals in step 4 of our Algorithm, so we expect to obtain more solutions. Replacing 
A^i for example by 3^ • A'^i, we expect to get on average a double amount of solutions 
for d = 1 mod 3. The gain is a constant factor > 1 that increases with the amount 
of square divisors of N. 



6000 




5-10^ 10^ 

Figure 5 



5. Examples and practical considerations 

The description of the Algorithm in Section 3 is intended to facilitate the run time 
estimate in Section 4, it does not address practical issues that are important in 
computing large examples. In this section, we explain how we find solutions to 
Problem 2 form large values of N that are either prime or equal to a power of 10. 
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Elliptic curves of large prime order. From the description of the algorithm 
we gave in the previous section, and more in particular its relation to ECPP, it is 
clear that one should be able to construct a curve having a large prime number N 
of points in all cases where ECPP, as described in [17], can prove primality of a 
number of the same size. To do so, it makes sense to apply an idea attributed to 
J. Shallit in [17] to speed up the computation. This idea starts from the observation 
that for large prime numbers N, the Algorithm spends a lot of time in evaluating 
{V—d mod N) for all squarefree d up Bn ~ (log A?")^ having (^) = 1. We noticed 
already in the previous section that if the equation 

+ dy^ = m 

admits integral solutions, then A is a square modulo all primes dividing D = 
disc(Q(\/^). It reflects the fact that if A splits completely in the Hilbert class field 
Hd of K = Q(-\/^), then it certainly splits completely in the genus field Gd C Hj, 
of K. As Gd is obtained by adjoining to K the square roots of p* = (—l)^P~^'>/'^p 
for all odd prime divisors p\d, we have (^) = (^) = 1 in this case. 

Once we know that those d providing solutions are essentially products of primes 
having the right quadratic character with respect to A, the idea suggests itself to 
look at those d only that are constructed as products of such primes. Creating d 
from a 'basis' of primes p with (^) = 1 allows us to compute mod A for 
such p, and store the values in a list. For p = 2, one uses the square roots of 
— 1, 2 and —2 that can be extracted modulo A. For each d constructed from our 
basis of primes, mod A can be obtained by multiplying the square roots of 
primes modulo A we stored. Considering only products of two primes from our 
basis allows us to reduce the number of square root extractions modulo A from 
0((logA)^) to O(logA), at the expense of extra multiplications modulo A and 
an increased storage requirement. In practice, we consider d with at most 3 prime 
divisors. One thing we lose in this approach is the guarantee that we really find the 
smallest solution d to Problem 3. 

5.1. Example. Take A = nextprime(102004) ^ 192004 ^ 4353^ ^j^^ exponent 2004 
being the year we found our method. For this A, we have log(A) = 4614.3 and 
(log(A))2 = 2.13 • 10^. There are 324 primes p less than 5000 with {^) = 1, and 
we compute and store mod A and all square roots ^/p* mod A. We now have 
(^3^) ~ 5668650 squarefree values of d at our disposal having up to 3 prime divisors 
from our base, and we know A to split completely in all genus fields Gd- 

The 104415-th value of d we tried was d = 59 • 523 • 2579 = 79580203. For this 
value of d, we found a solution 

x= 1885782... 693127 

to + dy^ = 4A for which 



p = N + l-x = 999999 . . . 99999811421 . . . 8311737 



18 



REINIER BROKER, PETER STEVENHAGEN 



is a 2004-digit prime. In each case, the dots represent 990 digits that we omitted. 

The class polynomial P-d has degree 1536 and coefficients up to 41984 digits. 
Modulo the polynomial P-d splits completely. Takings to be the smallest positive 
integer satisfying P_d{j) = modp we put a = 4(1728-^) ^ ^p- Then the curve 
given by 

Ea-. Y'^ =X^ + aX -a 

has CM by O-d- As the point (1, 1) e Ea{Fp) does not have order N, the quadratic 
twist E'^:Y^ = X^ + 9aX-27a of Ea has N points. This can be verified by picking 
a random point P e E'^iFp) and checking that we have N ■ P = 0. 

The value of d we find here is in fact the smallest d solving Problem 3 for our N. 
Our algorithm did 565 primality tests before we found the solution above. Finding d 
and p took about 10 minutes on our standard PC, and another 3 hours were needed 
to find and factor P-d- Once we find j, the final result is almost immediate. If we 
trust the input value N as being a true prime number, there is no need to prove 
that p is prime. As in ECPP, this follows from the fact that E' has a non-trivial 
point that is annihilated by N. 

Elliptic curves of 10-power order. We indicated in our analysis in Section 4 
that for input values of N having a large number of square divisors, the integer 
d solving Problem 3 will be much smaller than the upper bound for squarefree N 
occurring in Theorem 4.3. This can be illustrated by looking at the values N = lO'' 
ioT k > 1, which have logA^ ~ 2.3k. As none of the prime divisors 2 and 5 of AT 
is inert in the field Q(i) and the prime 5 is split, there are already many solutions 
to the norm equation x'^ + — N for the very first value d — 1. In fact, as we 
have hd = 1 there is no need for a Cornacchia algorithm, and the elements of norm 
N = 2^^^ in Z[z] are the 4/c + 4 elements a^,* = z*(l + %f{2 + %)\2 - i)^-* with 
s e {0, 1, 2, 3} and t e {0, 1, . . . , k}. Up to conjugacy, we have about 2k = .871og N 
elements, so we expect that for a positive fraction of all fc-values, d = 1 gives rise 
to a prime p and a twist E of the curve — X^ + X having exactly lO'^ points 
over Fp. As the graph below indicates, this fraction appears to be close to 0.92. 




800 



5.2. Example. Take k = 2004. We find that for = (2,499), (0,527), (0,671), 
the element as t '■ 



^(l + i)2004(^2 + i)*(2-i)2004-t of norm lO^^o^ has the property 
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that p — A^Q(i)/Q(l — ctg^t) is prime. The curve Y'^ = X^ + X having j = and CM 
by Z[i] has 4 twists over Fp for each of these p, but in all cases Y'^ = X^ + X is the 
curve having 10^°*^^ points. This follows from a result in [24] going back to Gauss. 
It says if we choose the prime element tt = a + bi dividing a prime p = 1 mod 4 
in Z[i] to satisfy tt = 1 mod (1 + i)^, then the curve = X^ + X has exactly 
p + 1 — (^)^(7r + 7f) = p + 1 — 2i^~°'a points over Fp. In our case, tt = 1 — ag^t 
and a are congruent to 1 modulo (1 + = —2-'^°°^, so we already know that 

y2 _ ^3 _|_ X is the right curve before actually computing p. 

For the purpose of constructing curves having N = lO'^ points, there are small 
values of d that conjecturally work for almost all values of fc, not just for a positive 
fraction of them. These d have the property that 2 and 5 both split completely in 
Q(\/— rf), i.e., they satisfy d = 31, 39 mod 40. For such (i, the number of ideals of 
norm grows quadratically in /c, and hence in log A^. If we fix d, and hence hd, the 
number of elements of norm N in Q(-\/— rf) will also grow quadratically in log A?", 
and our Assumption 2 implies that such d will work for all but finitely many k. 

5.3. Example. Let p be a zero of X^ + X + 1. Then p is the value of the Weber 

function ^{z) = ^48^ • ^^^^^ "^3 — l/a;3i, and a generator of the Hilbert class 

field of Q(-\/— 31). An elliptic curve Ej/Q{p) having j-invariant j = (p^^ — 16)^/p^^ 
has endomorphism ring Z[a;3i]. We may take 

Ej :Y^ ^X^ + 3j(1728 - j) + 2j(1728 - jf 

which has good reduction outside 2,3,11,17,23,31. For all values 1 < A; < 1000 
except k = 1,2, there exist primes of the form 

p = x'^ + Sly^ = lO'' - 1 + 2x. (5.4) 

To find them, we write {oj^i + 1) = p2p5 and note that an Z[a;3i]-ideal 

of norm lO'^ is principal if and only if we have s = t mod 3. We use Cornacchia's 
algorithm to find the generators a for the principal ideals and test whether A^(l — a) 
is prime. For primes satisfying (5.4), either the reduction Ej/Fp of Ej over a prime 
over p in Q(p) or its quadratic twist has exactly lO'^ rational points over Fp. It is 
likely that A; = 1, 2 are the only values of k for which no prime p of the form (5.4) 
exists, but this is probably very hard to prove. 
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